Ninth Circuit Reverses Probation Sentence for Transgender Hacker

A short excerpt from the 9,000-word U.S. v. Thompson, decided yesterday by Ninth Circuit Judge Danielle J. Forrest, joined by Judge Johnnie B. Rawlinson:

Paige Thompson committed the second largest data breach in United States history at the time, causing tens of millions of dollars in damage and emotional and reputational harm to numerous individuals and entities. The district court correctly calculated Thompson's sentencing range under the Federal Sentencing Guidelines (the Guidelines) to be 168 to 210 months of imprisonment. It then granted a roughly 98% downward variance to time served (approximately 100 days) and five years of probation. Because the district court made clearly erroneous findings and did not properly weigh the 18 U.S.C. § 3553(a) sentencing factors, we conclude that the sentence it imposed is substantively unreasonable, and we vacate and remand for resentencing….

Before the events at issue, Thompson worked as a Systems Engineer at Amazon Simple Storage Service (S3). S3 is "an object storage service" offered to businesses by Amazon Web Services (AWS). Over two years after her employment at Amazon ended, Thompson began hacking AWS customers' accounts. She used a virtual private network service and The Onion Router network to anonymize her activity. Using a programming script, she scanned millions of publicly available IP addresses associated with AWS for vulnerabilities in their systems.

When Thompson found vulnerable accounts, she queried them for security credentials and saved those credentials on her computer. The credentials allowed Thompson to authenticate directly into AWS customers' cloud-computing environments. Once inside, if the credentials permitted, Thompson ran a "sync" command to download data from customers' cloud storage. In total, Thompson got credentials from at least 200 entities and stole data from at least 30 of them. For example, Thompson obtained Capital One's security credentials and downloaded personally identifying information (PII) of 98 million Americans.

Thompson then compressed and stored the data stolen from AWS customers on her computer, and she researched additional storage options. While Thompson did not sell or distribute any stolen information, she did research ways to profit from the data, bragged about possessing it, and encouraged others to hack vulnerable accounts. She also blamed her breaches on the companies' inadequate cybersecurity.

In addition to downloading private data, Thompson used AWS customers' computing power to mine cryptocurrency—a cyberattack known as "cryptojacking." Using the stolen security credentials, Thompson created new virtual servers in customers' cloud environments. She deployed cryptocurrency miners inside the virtual servers and mined cryptocurrency into her own virtual wallet. Cryptomining is expensive because it requires significant computer power. AWS customers were billed for the electricity used by Thompson's cryptojacking, while Thompson received the cryptocurrency payments. Thompson deleted the evidence of her cryptojacking from the companies' computer logs. …

In June 2019, Thompson decided to "dox" herself by sending unsolicited private Twitter messages about her data theft to cybersecurity professional Kat Valentine. The messages included links to the data and threats to distribute it. Valentine reported the data breach to Capital One. Capital One confirmed that its customers' data had been stolen, and it contacted the FBI. Less than two weeks later, the FBI searched Thompson's house and arrested her….

Thompson went to trial in June 2022. The jury convicted her on one count of wire fraud (felony) and six counts of computer fraud and abuse (four felonies and two misdemeanors)….

At the outset of the sentencing hearing the district court noted the significance of this case and gave the sentencing hearing a theme, stating: "[M]y theme is that, 'The arc of the moral universe is long, but it bends towards justice.'" After commenting at length about his career and the evolution of the criminal justice system, the district judge calculated Thompson's offense level as 35 and her Criminal History Category as I, resulting in a Guidelines range of 168 to 210 months. Noting that it had considered Thompson's offenses, the Guidelines, and the § 3553(a) factors, the court then imposed the requested alternative sentence offered by Probation—time-served and five years of probation, with three of those years being home detention. The court also ordered Thompson to complete 50 hours of community service per year while she was on probation.

The district court stated that "the question of what is justice here is a really, really hard question." It agreed with the Government that others considering the costs and benefits of committing crimes like Thompson's might decide that "if [they] can get away with credit for time served of 100 days, with the possibility of making a couple hundred million dollars … to take the chance." The court also found that Thompson committed "a terrible crime" but that she did "not do[ ] it in [a] malicious manner," such "as somebody who gets th[e] information and immediately turns to monetizing it." The court further found that Thompson "was tortured and tormented about what she did" and "was caught before she did anything bad, or anything good."

The district court also discussed the treatment of transgender individuals in federal prison. While it praised BOP's policy changes as evidence of "[t]he arc of the moral universe bend[ing] towards justice," it voiced concerns about transgender women who have not had reconstructive surgery being housed in women's prisons and the possibility that BOP policies might change in future presidential administrations.

The court determined that Thompson's mental health and trauma provided some explanation for her behavior, and it observed that Thompson's case might be "one of those rare times when a person's involvement with the criminal justice system may have actually saved their life." The court proclaimed that it did not believe Thompson would reoffend. Indeed, the district court encouraged Thompson to take a day of reflection to "think about what you have to atone for, and what you've achieved." The Government appeals Thompson's sentence.

The panel majority concluded that the judge's sharp downward departure from the recommended Guidelines sentence was unreasonable (for more details, see the full opinion):

As noted, Thompson committed one of the largest data breaches in American history. She hacked into and stole dozens of companies' data, including PII of nearly 100 million Americans just from Capital One. She also used the companies' own computing power to mine cryptocurrency, causing their AWS bills to skyrocket while she kept the proceeds of her illegal conduct and deleted evidence of her cryptojacking from her victims' computer logs.

Ultimately, Thompson caused at least $40 million in damage, and significant non-monetary harm. Her private communications demonstrate that she knew her conduct was unlawful and could result in imprisonment. In fact, Thompson specifically mused in an online chat, "[H]ow am I not in jail?" She then blamed AWS customers for failing to adequately "protect[ ] their assets," and she encouraged others to hack vulnerable accounts.

On this record, the district court's findings minimizing the nature, circumstances, and seriousness of Thompson's offenses are clearly erroneous.

First, it was clear error for the district court to conclude that Thompson's actions were not "malicious." By her own words, Thompson specifically targeted AWS customers that she concluded had inadequate security and she encouraged others to do the same. She also blamed her victims' incompetency for her thefts. These actions are the definition of malicious.

Second, the district court's finding that Thompson did not do anything "bad" before she was caught is clearly erroneous. While Thompson did not monetize the stolen PII for identity theft or other separate crimes, the data breaches alone were wrong, and the scale of her criminal activity warrants a serious consequence. Moreover, Thompson's suggestion that an ultimate good has come from her crimes because the companies that she targeted have now improved their security, falls flat where she could have pointed out the security flaws that she discovered without stealing private information or using others' computing power to mine cryptocurrency.

Third, the district court's finding that Thompson was "tortured and tormented about what she did" is not supported by the record. Thompson bragged about her crimes, encouraged others to commit the same offenses, researched illicit credit card trading forums, and threatened to leak sensitive information to the public. If Thompson was distressed about her criminal conduct, she could have reported her hacking directly to the victim companies or the FBI—rather than encouraging others to engage in the same conduct and "doxing" herself on Twitter….

The district court considered that Thompson is transgender, autistic, and has suffered prior trauma in her life. Thompson's personal background and characteristics are, of course, proper considerations at sentencing, but they may not be the sole basis for the chosen sentence. And the district court also speculated that recent BOP policy changes about housing transgender inmates may be undone by a future presidential administration. Such speculation regarding BOP policy is improper, especially when it apparently carried the weight it did in this sentencing. {The BOP has since changed its policies regarding the incarceration of transgender persons. See Exec. Order No. 14,168 (Jan. 30, 2025). The district court may consider this non-hypothetical policy on remand, but, consistent with this opinion, it may not do so at the expense of a proper weighing of all the § 3553(a) factors.} …

As the district court explained, hacking is "not … a crime of passion that [just] happens." Fraud crimes like those at issue here typically are calculated, and, as a result, are particularly amenable to general deterrence. But, while the district court acknowledged the Government's argument that a low sentence would incentivize similar crimes, it does not appear that it gave this factor meaningful weight in selecting the sentence that it imposed. This was a clear error of judgment….

As for specific deterrence, the district court explained that Thompson had evolved over the course of her case and that it was confident she would not reoffend. While district courts generally are better positioned to assess a defendant's risk of recidivism, the record here reveals that the district court may not have considered all the information relevant to this point. At sentencing, the Government presented evidence that, while awaiting trial, Thompson withdrew for her own purposes approximately $40,000 that she cryptojacked that could have been used to compensate victims and that, after she was found guilty and was awaiting sentencing, she used her computer for unauthorized purposes and lied about it.

The district court did not address this evidence or the Government's arguments, nor did it make any findings regarding these incidents. The failure to consider this highly relevant evidence to Thompson's risk of recidivism was an abuse of discretion….

Judge Jennifer Sung's dissent disagreed on most of those points; interested readers can find it here, starting on p. 25.

Tania M. Culbertson and Andrew C. Friedman represent the government.